Common Security: CDSA and CSSM, Version 2 (with corrigenda)
Copyright © 2000 The Open Group

Frontmatter

Technical Standard
Common Security: CDSA and CSSM, Version 2 (with corrigenda)
Document Number: C914
ISBN: 1-85912-202-7

©May 2000, The Open Group All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owners.

Any comments relating to the material contained in this document may be submitted to The Open Group at:

The Open Group
Apex Plaza
Forbury Road
Reading
Berkshire, RG1 1AX
United Kingdom

or by electronic mail to:

OGSpecs@opengroup.org

Preface

The Open Group

The Open Group is a vendor and technology-neutral consortium which ensures that multi-vendor information technology matches the demands and needs of customers. It develops and deploys frameworks, policies, best practices, standards, and conformance programs to pursue its vision: the concept of making all technology as open and accessible as using a telephone.

The mission of The Open Group is to deliver assurance of conformance to open systems standards through the testing and certification of suppliers' products.

The Open group is committed to delivering greater business efficiency and lowering the cost and risks associated with integrating new technology across the enterprise by bringing together buyers and suppliers of information systems.

Membership of The Open Group is distributed across the world, and it includes some of the world's largest IT buyers and vendors representing both government and commercial enterprises.

More information is available on The Open Group Web Site at http://www.opengroup.org.

Open Group Publications

The Open Group publishes a wide range of technical documentation, the main part of which is focused on development of Technical and Product Standards and Guides, but which also includes white papers, technical studies, branding and testing documentation, and business titles. Full details and a catalog are available on The Open Group Web Site at http://www.opengroup.org/pubs.

Product Standards
A Product Standard is the name used by The Open Group for the documentation that records the precise conformance requirements (and other information) that a supplier's product must satisfy. Product Standards, published separately, refer to one or more Technical Standards.
The "X" Device is used by suppliers to demonstrate that their products conform to the relevant Product Standard. By use of the Open Brand they guarantee, through the Open Brand Trademark License Agreement (TMLA), to maintain their products in conformance with the Product Standard so that the product works, will continue to work, and that any problems will be fixed by the supplier. The Open Group runs similar conformance schemes involving different trademarks and license agreements for other bodies.
Technical Standards (formerly CAE Specifications)
Open Group Technical Standards, along with standards from the formal standards bodies and other consortia, form the basis for our Product Standards (see above). The Technical Standards are intended to be used widely within the industry for product development and procurement purposes.
Technical Standards are published as soon as they are developed, so enabling suppliers to proceed with development of conformant products without delay.
Anyone developing products that implement a Technical Standard can enjoy the benefits of a single, widely supported industry standard. Where appropriate, they can demonstrate product compliance through the Open Brand.
CAE Specifications
CAE Specifications and Developers' Specifications published prior to January 1998 have the same status as Technical Standards (see above).
Preliminary Specifications
Preliminary Specifications have usually addressed an emerging area of technology and consequently are not yet supported by multiple sources of stable conformant implementations. There is a strong preference to develop or adopt more stable specifications as Technical Standards.
Consortium and Technology Specifications
The Open Group has published specifications on behalf of industry consortia. For example, it published the NMF SPIRIT procurement specifications on behalf of the Network Management Forum (now TMF). It also published Technology Specifications relating to OSF/1, DCE, OSF/Motif, and CDE.

In addition, The Open Group publishes Product Documentation. This includes product documentation-programmer's guides, user manuals, and so on-relating to the DCE, Motif, and CDE. It also includes the Single UNIX Documentation, designed for use as common product documentation for the whole industry.

Versions and Issues of Specifications

As with all live documents, Technical Standards and Specifications require revision to align with new developments and associated international standards. To distinguish between revised specifications which are fully backwards compatible and those which are not:

A new Version indicates there is no change to the definitive information contained in the previous publication of that title, but additions/extensions are included. As such, it replaces the previous publication.
A new Issue indicates there is substantive change to the definitive information contained in the previous publication of that title, and there may also be additions/extensions. As such, both previous and new documents are maintained as current publications.

Corrigenda

Readers should note that Corrigenda may apply to any publication. Corrigenda information is published on The Open Group Web Site at http://www.opengroup.org/corrigenda.

Ordering Information

Full catalog and ordering information on all Open Group publications is available on The Open Group Web Site at http://www.opengroup.org/pubs.

This Document

This CDSA Version 2 with corrigenda Technical Standard C914, May 2000, supersedes the November 1999 CDSA Version 2 Standard (C902). The launch by Intel in May 2000 of their implementation of CDSA as "Open Source" is intended to match C914.

The changes from C902 comprise corrections collected in a Corridendum, following extensive implementation experience since C902 was published in November 1999, plus an extensive restructuring of the complete document to eliminate unnecessary duplication of definitions and description.

The Common Data Security Architecture (CDSA) is a set of layered security services that provide the infrastructure for scalable, extensible and interoperable security solutions. It provides complete flexibility through the use of plug-in security modules that use common Application Programming Interfaces (APIs). The CDSA provides all the essential components of security capability, and enables implementers and application writers to gear their security solutions to their business needs.

History

The following summary provides a chronological history of the development of CDSA specifications since December 1997. It is intended for clarification purposes, in recognition that there is possibility of confusion over past version numbering assigned to previously-released CDSA documents and related software.

Any CDSA specifications released prior to December 1977 pre-date The Open Group's involvement.

In December 1997 The Open Group published its first CDSA Technical Standard (C707).
In Febuary 1998, Intel released a series of documents, all called "Common Data Security Architecture xx Specification, Release 1.2 February 1998". Titles in this Intel release included Application Programming Interface (API), Data Storage Library Interface (DLI), Add-in Module Structure and Administration, Cryptographic Service Provider Interface (SPI), Trust Policy Interface (TPI), and Certificate Library Interface (CLI). Those who licensed the reference software for this Intel documentation release 1.2 have not unnaturally refered to their implementations of it as version 1.2 of CDSA.
In May 1999, Intel released a document called "Common Security Services Manager, Application Programming Interface (API) Specification, CDSA Version 2.0 release 3.0". This had review status only.
In November 1999, The Open Group published its CDSA Version 2 Technical Standard (C902). This revision superseded the C707 Standard. The C902 Standard was based on considerable implementation experience, which was reflected in the very substantial changes from the previous C707 Standard
As a result of further detailed implementation work, including by Apple, and by Intel on their "Open Source" launch of their implementation, further detailed corrections were collected as a Corrigendum to the C902 (CDSAv2) Standard. At the same time, The Open Group restructured the complete Standard to remove considerable duplication of technical information - particularly in duplicated man-page definitions for related CSSM API and Service Provider interface function calls. The resulting revised CDSAv2 incorporating all these Corrigendum changes was published in May 2000 as the Common Security: CDSA and CSSM, Version 2 (with corrigenda) Technical Standard, C914.

Trademarks

Motif®, OSF/1®, UNIX®, and the "X Device" are registered trademarks and IT DialTone^TM; and The Open Group^TM; are trademarks of The Open Group in the U.S. and other countries.

Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owner's benefit, without intent to infringe.

Acknowledgements

The Open Group gratefully acknowledges the co-operative effort of participating industry leaders, led by Intel Architecture Labs., on this Common Data Security Architecture (CDSA) specification. This work was initiated by Intel Architecture Labs., and led to the development of CDSA and CSSM, having attained the support and participation of organizations such as Apple, Entrust, Hewlett-Packard, IBM, Motorola, Netscape, Sun, and Trusted Information Systems, together with the many member organizations of the PKI (Public Key Infrastructure) Task Group, who met regularly under the auspices of The Open Group.

The Open Group particularly acknowledges the detailed work contributed by Apple Computer Corporation, Intel Architecture Labs. and the IBM Corporation, to the development of the CDSA Version 2 Technical Standard, and to the ongoing work contributed by Apple Computer Corporation and Intel Architecture Labs in the development of this CDSA Version 2 with corrigenda Technical Standard.

Referenced Documents

The following documents are referenced in this Technical Standard:

ASN.1

ITU-T Recommendation X.200: Abstract Syntax Notation One (ASN.1).

BER

ITU-T Recommendation X.209: Basic Encoding Rules for Abstract Syntax Notation One (ASN.1).

BSAFE

BSAFE Cryptographic Toolkit, RSA Data Security, Inc., Redwood City, CA.

Cryptography

Applied Cryptography, Second Edition, Protocols, Algorithms, and Source Code in C, Bruce Schneier: John Wiley & Sons, Inc., 1996.

Cryptography Usage

Handbook of Applied Cryptography, Menezes, A., Van Oorschot, P., and Vanstone, S., CRC Press, Inc., 1997.

DER

ITU-T Recommendation X.690: Distinguished Encoding Rules.

DSA

Federal Information Procurement Standard (FIPS) 186, Digital Signature Standard.

Key Escrow

A Taxonomy for Key Escrow Encryption Systems, Denning, Dorothy E., and Branstad, Dennis, Communications of the ACM, Vol 39, No. 3, March 1996.

OIW

Stable Implementation Agreements, Open Systems Environment Implementors Workshop, June 1995.

PKCS

The Public-Key Cryptography Standards, RSA Laboratories, RSA Data Security, Inc., Redwood City, CA.

PKCS #1: RSA Encryption Standard, RSA Data Security, Inc., October 1, 1998, Version 2.0.
PKCS #3: Diffie-Hellman Key-Agreement Standard, RSA Data Security, Inc., November 1, 1993, Version 1.4.
PKCS #7: Cryptographic Message Syntax, RSA Data Security, Inc., November 1, 1993, Version 1.5.
PKCS #8: Private-Key Information Syntax Standard, RSA Data Security, Inc., November 1, 1993, Version 1.2.

PKIX

Public Key Infrastructure Certificate Management Protocols, IETF PKIX Working Group, 1996

SDSI

SDSI: A Simple Distributed Security Infrastructure, R. Rivest and B. Lampson, 1996.

SHA

Federal Information Procurement Standard (FIPS) 180, Secure Hash Algorithm.

SPKI

Simple Public Key Infrastructure, Internet Draft: draft-ietf-spki-cert-structure-03.txt

X.509

ITU-T Recommendation X.509: The Directory-Authentication Framework, 1988.

License Agreement for CDSA Specifications

THIS LICENSE AGREEMENT IS IN RESPECT OF THE COMPILATION OF 15 SPECIFICATIONS RELATING TO COMMON DATA SECURITY ARCHITECTURE "(CDSA)" AND COMMON SECURITY SERVICES MANAGER "(CSSM)", PUBLISHED TOGETHER BY THE OPEN GROUP UNDER THE TITLE "COMMON SECURITY: CDSA AND CSSM, Version 2", DOCUMENT NUMBER C902, ISBN 1-85912-236-1 ("THE SPECIFICATION").

YOU CANNOT USE THIS SPECIFICATION ("THE SPECIFICATION") FOR SOFTWARE DEVELOPMENT UNTIL YOU HAVE CAREFULLY READ AND AGREED TO THE FOLLOWING TERMS AND CONDITIONS. THE PERSON WHO ORIGINALLY ACQUIRED THIS PUBLICATION THROUGH THE WORLD-WIDE WEB OR AS HARD COPY EXPLICITLY AGREED TO THESE TERMS AND CONDITIONS. AS THE READER OF THIS DOCUMENT YOU ARE BOUND BY THE SAME TERMS. THE TERMS OF THIS LICENSE AGREEMENT ALSO APPLY TO REVISIONS OF THIS SPECIFICATION MADE AVAILABLE TO YOU BY THE OPEN GROUP.

LICENSE: The Open Group grants you a non-exclusive copyright license to read and display the Specification, and to use the Specification to develop and distribute a conformant software implementation of the Specification on the terms set out in this Agreement. For the avoidance of doubt, this License does not authorize you to edit, republish or distribute the Specification or create any derivative work therefrom.

CONFORMANCE: A software implementation must be and remain a complete and conformant implementation of the CSSM. A conforming implementation of CSSM provides and supports all the application programming interfaces and service provider interfaces defined in the Specification, and for each elective module the implementation must provide and support all the application programming interfaces and service provider interfaces for that module. A software implementation of CSSM may be tested for conformance using the CDSA Conformance Test Suite ("the Test Suite"), available from The Open Group web site. You are not permitted to use the Test Suite for any other purpose, nor to disclose or make any claim that any product has "passed" the Test Suite test. You can not make any claims that your software product conforms to CDSA or CSSM or the Specification unless such product is registered under the Open Brand program.

LIABILITY: THE SPECIFICATION AND ANY OTHER MATERIALS PROVIDED BY THE OPEN GROUP UNDER THIS AGREEMENT ARE PROVIDED "AS IS", AND THE OPEN GROUP MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AND EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS AND FITNESS FOR A PARTICULAR PURPOSE.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE OPEN GROUP HEREBY EXCLUDES ALL LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING OUT OF OR RELATING TO THE USE BY ANY PERSON OF THE SPECIFICATION OR ANY OTHER MATERIAL PROVIDED HEREUNDER. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY INDIRECT OR CONSEQUENTIAL LOSSES INCLUDING, WITHOUT LIMITATION, ANY LOSS OF PROFITS, CONTRACTS, PRODUCTION OR USE.

TERMINATION OF THIS LICENSE: The Open Group may terminate this license at any time if you are in breach of any of its terms and conditions. Upon termination, you will immediately cease use of the Specification.

APPLICABLE LAW: This Agreement is governed by the laws of England and Wales, and you hereby agree to the non-exclusive jurisdiction of the English courts.

Contents

Next section

Index